About this Show

The Communicators

Michael Daniel, White House Cybersecurity... News/Business. (2013) New.

NETWORK

DURATION
00:30:00

RATING

SCANNED IN
San Francisco, CA, USA

SOURCE
Comcast Cable

TUNER
Channel 17 (141 MHz)

VIDEO CODEC
mpeg2video

AUDIO CODEC
ac3

PIXEL WIDTH
704

PIXEL HEIGHT
480

TOPIC FREQUENCY

China 6, Michael Daniel 6, U.s. 5, Cyberspace 4, Us 3, Martha Washington 2, Academia 2, Mr. Daniel 1, Brown 1, Ird 1, Cybersecurity 1, Herdrerer 1, C-span 1, Clinton 1, Canada 1, Shanghai 1, Germany 1, Etc. 1, Michelle Obama 1, Bush 1,
Borrow a DVD
of this show
  CSPAN    The Communicators    Michael Daniel, White House  
   Cybersecurity...  News/Business.  (2013) New.  

    February 23, 2013
    6:30 - 6:59pm EST  

6:30pm
here is a president from earlier this month. >> we know foreign countries swipe our corporate secrets. our enemies are also seeking the ability to sabotage our power g ird, our financial is the two shins -- institutions. we cannot look back years from now and wonder why we did nothing in the face of real that's to our security and our -- of real threats and the security of our economy. i signed an executive order that will strengthen our cyber security and developing standards to protect our national security, jobs, and privacy. >> michael daniel is a president of cyber security coordinator. mr. daniel, in the executive order of february 12, 2013, he talks about vital infrastructure. how was that defined? >> that is defined as if
6:31pm
something bad happened to it, that things would happen -- bad things would happen to it in the real world. it would be economic disruption. in the cyber context, it means that if something happened ito it in the cyber realm, there would be effects in the real brown. >> a lot of the infrastructure is in private hands er. >> many are in private hands. >> will these private institutions have to participate participate in the cyber security enhancement? >> i think for the most part it will be a voluntary and collaborative process to participate. if you look through the executive order and follow how the ring work is laid out -- framework is laid out, there is a process with the national institute of science and technology leading a process to
6:32pm
develop the framework. then the department of homeland security will encourage adoption of that framework. at the same time, the primary regulators will look at their regulations and requirements and assess relative to that framework that is being developed. they believe that their regulations -- if they believed their regulations are not sufficient in that area, they could in theory proposed new regulations that would require infrastructure to be brought up to that level. you'll find that it is a voluntary process for companies to participate. >> there are some deadlines in this executive order. will congress have a role in developing this cybersecurity? >> for the executive order, that is driven from the executive branch side.
6:33pm
from our perspective, the executive order, there's a down payment that we ultimately need to get to. we viewed the executive order that will be going on underneath it is advancing the cause of cybersecurity and advancing some of the issues that were raised in the congressional debate previously. we still need congress to enact legislation in cybersecurity. >> as a white house cyber security coordinator, what is your goal? >> i describe my role as the chief calf herdrerer. it's my job to oversee the policy development as related to cybersecurity and work on ensuring the agencies are implementing the president's policies in the space. there is a chunk of my job that is an outreach to the private sector and industry and
6:34pm
academia in the space. there's also an aspect that is international in talking to my counterparts in other countries from great britain to canada to germany and other parts of the world as well. >> also joining us is a guest who is editor of executive briefing. >> thank you. >> how well the executive order improve? what would be standard to improve cybersecurity? >> if you look at what we are doing, it is taking the best practices from the leading companies that do cybersecurity well and studying those -- and spreading those out to companies that do not do it well yet. what you will see is that it is about taking a lock of the standards that are out there, the practice is well known, and
6:35pm
putting them together in a well- known framework that the company could adopt. this will enable companies to have a more rigorous process to make sure the cybersecurity is where they are and what they need to be doing. it will help close a lot of the known vulnerabilities and access at bad guys have right now. >> is as similar to security practices that federal agencies have in place right now? >> it would be related. you would see the same kind of diversity that you see in the or or. -- in the private sector. some are much further along than others. they want to raise the bar there as well. there are parallels. there are differences in how
6:36pm
the private industry operates and how the government operates. it will surely be different, but you will feel parallels. >> there is a law to govern how companies should secure their systems. has that work? if so, -- >> it has worked, but it needs to be updated. it moved the ball forward for that time period, and now we have a more sophisticated understanding of what you need to do in cybersecurity. one of the things that needs to be updated is a move away from a compliance model were you periodically go back and check everything. that will not work now in the modern cyberspace age should things move -- in the cyberspace age. things move too fast.
6:37pm
what are your vulnerabilities? have you done all of the necessary patching? you would have all of that information in real-time. >> one of the main stumbling blocks on cybersecurity is that the industry believes that any regulatory regime might resemble it in that it is more focused on complying. how do modify those concerns? >> one of the things we have done is that we are in the process of a reach with industry and academia. we have held dozens of meetings -- more than 30, actually -- with groups and companies. we have stressed that we want a process that is very collaborative.
6:38pm
it does not do us any good to put out a compliance model that they cannot comply with or do that does not make sense in their business environment. the goal is to improve cybersecurity. i would say that the other thing that you can do in the executive order is that it is is designed to be highly collaborative and have industry be the one that is defining those standards. >> michael daniel, in the information sharing, you're right it is the policy of the u.s. government to end prove the and quality of cyber -- improve the quality of cyber security. our u.s. entities required to share my information with the government as well? >> the president can only direct executive branch agencies
6:39pm
to take action. under the executive order, only the entities are on the federal side. we would like companies to share more information with the federal government. we are working to encourage them to do so. we are working to have that happen. that is an area where we need legislation to deal with some of the issues that are in that space to enable more information to flow back to the private sector and to the government that the text privacy and several -- protects privacy and civil liberties. >> the word voluntary is used for currently. >> yes. we look at the issues that we face in cyberspace. if you look at the problems and how the government has to deal
6:40pm
with them, you see no one agency can deal with it. and needs to be a holistic approach. it is not just the federal government. it is federal, state, and local governments that deal with this issue. it also involves the private sector. it needs to be a collaborative approach from all parties involved working together to tackle the problem. we are stressing the voluntary part because it is the leaders in the industry that we want to come together that have expertise and the skills to make a difference. >> what are some concerned you have heard about cybersecurity from either companies such as banks and electric companies, etc.? >> you hear a lot of different concerns. one of the concerns that we hear and you see it reflected , you shareds
6:41pm
information with us that happened three months ago, but what about now? we are trying to increase our timeliness to we are ahead of the issue. we are making progress in that space. over the last year, we have improved our ability to share information with the private sector. i also hear concerns from different sectors about ensuring that the other sectors that they rely on also are increasing their cybersecurity. if you are a wink, you are reliant on water, power, -- if you are a inc., you are reliant on water, power, and transportation to do your business. we want to make sure all of these are moving together to increase security because everything is interdependent. >> this is "the communicators." michael daniel is our guest. >> you mentioned that there are
6:42pm
currently some barriers to government sharing information with the private sector. what are those legal obstacles? >> the fact that you mentioned barriers to the private sector side, those are more about policy and how we implement it. one of the things you see the executive order is that we can ramp that up on the president's site. -- side. in the other direction, there are essentially carriers to information sharing with the government based on liability. there are concerns about company sharing and competitiveness issues. i think from the administration
6:43pm
respective, there are laces that we want to have with congress on these barriers to information sharing coming back into government and between companies. one of the things i have discovered working on these issues is that when you're willing to get down to the real barriers, they are often more limited than what appears. we want to be careful that we do not overshoot in legislation. >> you bring that up because the cybersecurity and trade secrets -- what would allow companies to come to the government? >> what it does is that it puts in place the foundation to ensure that we can deal with
6:44pm
information when it comes into the government to protect by the sea and civil liberties. -- protect privacy and civil liberties. i think that will give the community much greater assurance that the government can protect them properly handle information relating to cybersecurity when it comes in. that should help encourage people or companies to have some confidence that we can handle the situation on the federal side. this will be a continuing conversation he treated the administration and congress on how to lay out the legal foundations and friend mark -- conversation between the administration and congress on how to lay out that legal foundations. it is a time-consuming process.
6:45pm
>> what kind of concerns are you hearing from members of congress about his executive order? >> in general, the reaction has been positive. i think most of the members, certainly on the democratic side and even the republican side, we have seen a willingness to talk and openness to discuss how to move forward with this and to help that implementation as effectively as possible shoul. >> section 7 c. protect individual privacy and civil liberties. how do you protect business and individuals civil liberties? >> a lot of that has to do with
6:46pm
when you look at the way information needs to be shared, it is about making sure that only be appropriate and necessary pieces of information get shared and are moved within the government. we need to establish the rules in the later criteria for when specific pieces of information will be shared and under what conditions. what that means is in many cases for a lot of parts of the government, you do not need specific names or attributions for specific individuals. you just need the broad outline for the incident that occurred. in those conditions, only that information would get shared. in other cases, law enforcement would need that information. they have a long-standing procedure to protect that kind of information once it is part of an investigation. this is about the procedures
6:47pm
that are largely present in the government, but making sure we are functioning efficiently. >> michael daniel, a lot of new stories about china. headlines are often china has attacked x. big cover story in bloomberg as well. is this policy directed toward china? >> no. it is not directed at one specific country. it is addressing the broad range of threats we face in cyberspace. it could stem from domestic or overseas actors. it does not targeted at any one individual country shou. >> when we see headlines that say china attacks, what does that mean? >> it is hard to speculate on
6:48pm
what might be behind some of that. it is undoubtedly true that we have seen actors that are based in china that carry out activities, but we have seen that in multiple countries around the world. the attribution problem continues to be difficult in cyberspace. from the administration side, with china to focus on those headlines and instead focus on improving the cybersecurity defenses defenses across-the- board so would contort -- we can thwart actors. >> there was a report released that generated many headlines. they have tasted these attacks to a building in shanghai. at what point do attacks that appear to be exercised by a foreign state becomes a military threat? >> i think that is a good
6:49pm
question. it is one that we are continuing to sort through. there is a lively debate both within the government and the industry and the private sector. if you take a step back, one of the questions that we are currently wrestling with is what exactly the government's role is in providing cybersecurity to the private sector? at what point does the government intervene and under what conditions? those are questions that are once we were we are still trying to figure out the rules of the road. >> when does the government intervene? >> when you take their recent state of attacks on the financial sector are, the
6:50pm
government was very involved -- sector, the government was very involved and active when they requested assistance. we worked with them closely to figure out what was going on. i think we would do that with any industry that came to us with those kinds of requests. that was some of the impetus behind the executive order to make sure our fiscal infrastructure really has the structures in process and practices in place to really defend their networks robustly. it is in the government' interest to make sure the infrastructure can protect itself shou. >> how involved is the intelligent maybe? >> -- community? >> it is about sharing
6:51pm
information of what the intelligent community has and the law enforcement has. it is combining that information across the government. i learned that lesson over and over again. no one agency or part of the government has a monopoly on this area. no matter how competent or good it is, it takes a coordinated effort to a chess -- address the problem. >> would it be fair to say that the line is not as clear as it is in other areas? >> i would say that you had to take all of the roles together. there are clear lines include responsibilities that belong to say the department of homeland security versus law enforcement and first is what the military will do.
6:52pm
it is not that they are blurred, but you often need tools from across those areas in order to just anyone problem. -- van just any one problem. you will want to draw information that law enforcement has. it is not that law enforcement is straying into areas that belongs to intelligence community or the intelligence community is straying into information that belongs to the homeland security. you need all elements working closely together to tackle the problem. >> what about the u.s.? does it see cyber security as threats? >> i cannot go into details. what i can say from an overall standpoint, across-the-board if you look at what the administration is doing in this
6:53pm
space, we have been updating and expanding and defining policies in cybersecurity and operations across the board. you see that in the executive order. you see that and the critical infrastructure. you see it in other strategy documents. really what you see is that evolution of all of these capabilities across the board as a tool. we apply the same principle, the same underlying approach that we do to any of our diplomatic law enforcement or military schools. the administration -- any administration would apply it and using those same principles. >> michael daniel is currently serving his third president car. he worked under president
6:54pm
clinton and president bush and is now the white house cybersecurity courted native. -- courted native. section eight b. had you envision incentives to participate in the program? >> we are looking for a broad set of incentives that encourage companies to adopt a framework. one of the things we discovered as we were working on the executive order is that there is a lot of possibilities, but not much has been done to develop them. part of that is to flush those out. you can imagine a whole range of incentives, sort of a housekeeping seal of approval.
6:55pm
there could be government contracts, if that is possible. you must play standards to have a contract with the government in this area. placit we want to explore what e are. >> again, there has been a lot of talk of the attacks on the u.s. companies with to trade secrets. there has been a new strategy to combat them. how much of a priority are these cyber security issues in discussion now? will that change as they release this new strategy? >> it has been interesting. what you have seen over the last few years, cyber security issues that have emerged in a number of different areas, i think it is much more part of the double matted discussions
6:56pm
now than it was four or five years ago. it is emerging from the cio and the computer security leaks. it is emerging as an issue. the government is being moved out of nsa issue. all of them have to do it this issue. there has been a long series of efforts to move the issue forward and make it front and center. >> one more question from our guest. >> if the legislation passes, we have seen discussion of antivirus software. how is this in terms of improving security? what steps would improve the
6:57pm
security for u.s. organizations? >> when you look at it across the board, all companies need to have a robust set of cybersecurity practices in place no matter what industry they are in. you need to have updated antivirus software. you need to have that. that will not catch everything. you need to know what is on your network and who is on your network. make sure you can watch your network and know when information is entering or leaving your network. i think that things that would make the most difference now is for companies to make sure that they are employing the best practices in the industry and going after those basic kinds of cybersecurity to really raise the bar ar. the next thing we need to do is increase those information flows.
6:58pm
make sure that we have a good sense of what the environment is like and what is happening. that will put us in a much better space to tackle the long- term and more persistent threat. >> michael daniel is the cyber security coordinator for the white house. this is "the communicators" on c-span. >> c-span, created by an american cable companies in 1979. brought to you as a public service by your television provider. >> next on c-span, "worst ladies -- influence and image -- influence and
6:59pm
image." it is live every monday on c- span, c-span radio, and c- span.org. it explores the life and times of all of the worst american ladies from martha washington to michelle obama -- of all of the worfirst american ladies from martha washington to michelle obama. ♪ >> if we turn away and the needs of others, we align ourselves with those forces bring about the forces. >> obesity in this country is nothing short of their public health crisis. >> i had little antennas that >> i had little antennas that point up